ICO consultation on the draft updated data sharing code of practice 


Qi Does the updated code adequately explain and advise on the new aspects of data protection legislation which are 
relevant to data sharing? 


_) Yes 
© No 
Q2 If not, please specify where improvements could be made. 


I'd like to see more clarification about "sharing" from a controller to a processor, as i don't believe this true sharing. It doesn't need 
a lawful basis, the legal mechanism is Article 28. Itis not sharing as the the processor is bound by the controller, essentially the 
controller has extended their capacity. 


Q3 Does the draft code cover the right issues about data sharing? 
© Yes 
J No 

Q4 If no, what other issues would you like to be covered in it? 

Q5 Does the draft code contain the right level of detail? 


© Yes 


) No 


Q6 


Q7 


Q8 


Q9 


Q10 


Q11 


Qi2 


If no, in what areas should there be more detail within the draft code? 


Has the draft code sufficiently addressed new areas or developments in data protection that are having an impact 
on your organisation’s data sharing practices? 


© Yes 


No 


If no, please specify what areas are not being addressed, or not being addressed in enough detail. 


Does the draft code provide enough clarity on good practice in data sharing? 


© Yes 


No 


If no, please indicate the section(s) of the draft code which could be improved, and what can be done to make the 
section(s) clearer. 


Does the draft code strike the right balance between recognising the benefits of sharing data and the need to 
protect it? 


© Yes 


No 


If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios relevant to your organisation? 
Yes 


© No 


Q14 


Please provide any further comments or suggestions you may have about the draft code. 


Page 4 “You must identify at least one lawful basis for sharing data from the start” Many of the examples do not identify lawful basis 
. It is possible to interpret, from later reading, you do not need an lawful basis when using the crime and taxation exemption. 
Consider adding: “There are no exceptions to the need for an lawful basis”. Page 5 Bullet 1 “You must always...” add “unless an 
exemption applies” to end of first sentence. Also, what is an exception? Mentioning “exception” with “exemption” is confusing, 
DPA2018 doesn’t provide “exceptions”. Page 5 Move bullet 5 “In order to comply...” to follow the above bullet as both mention 
lawfulness. Page 5 Move bullet 3 “In a data sharing...” to above bullet 2 “Data protection law...” - i think the order would work 
better. Page 10 Should “Controllers are defined under A4 of GDPR.” be a separate para to where it currently is. Controllers are 
defined differently for general processing vs law enforcement. Is this para sensitive to that in current structure? Page 12 Example 1. 
Would be good to explain “public interest”, i don’t think you are referring to the lawful basis but more a general social good. Page 18 
On the section “Data pooling”. Mention that sharing data is limited to the purpose of sharing, otherwise you create an example of 
free for all. Page 19 On the section “Data sharing between controllers” you should mention that when joint controllers are in play 
that the concurrent access to data does or doesn't constitute sharing (depending on your view). Joint controllers are potentially the 
recipients of the data, so don't share it to each other. Page 19 On the section “Sharing data with a processor” - please expand to say 
the DC does not need a lawful basis to share data with a DP where the DP will be processing that data on behalf of the DC, and the 
DP does not need lawful basis to share data with the DC where they are processing that data on behalf of the DC. Page 23 “Are we 
allowed to share the information” - illustrate a legal gateway is needed, you’ve concentrated on why not. For statutory organisation 
a legal power is needed to even have an interest in sharing, then a legal gateway. Page 25 Mention, somewhere, that participation 
in a DSA doesn’t of itself create a lawful basis. Page 38 In definition of “public task” you appear to be conflating the GDPR definition 
with the further definition provided by DPA s8, suggest you stick to GDPR definition here, but add s8 as examples that satisfy public 
task. In definition of “legitimate interests” you correctly mention that public authorities cannot use in performance of their tasks. 
Please provide definition of “task” and “function” - link to case law. Could you make clear here, if processing to which the Crime and 
Taxation exemption applies satisfies the public task or legal obligation lawful basis by nature of the purpose. Many think the purpose 
of sharing creates the lawful basis. Page 39 Possibly link to case law on “Necessary” to fully illustrate the definition. Page 39 On the 
section “What do we need to do in respect of special category data...” I'd suggest adding further clarity to the concept of “additional 
condition for doing so” by specify A9, the language changes in the following sentence so link back to “additional condition”. Also, 
need to refer to DPA s10 which controls which part of schedule 1 you can access. Page 40 Para 1 “If the data you plan...” please 
clarify what is meant by “official authority”. Page 40 On the section “How do we determine which lawful basis...” I'd suggest the 
second bullet point reads “for the purpose of law enforcement processing”. Page 41 In “At a glance” you refer to “exception” - what 
is this vs “exemption”. Page 42 Consider the para beginning “Finally...” to be included in the first bullet point as it refers to the same 
issue. Page 44 One the section “How do we comply with...” you refer to “exception” - what is this vs “exemption”. Page 59 Final para 
“there is an overriding public interest in a disclosure taking place”. Please explain how this would be lawful, possibly include lawful 
basis. In chapter “Other legal requirements” (p57) could you explore personal data a local authority processes under its General 
Power of Competence - which i believe would move the LA from being “public authority in performance of tasks” to a non public 
authority and thereby even open up Legitimate Interests. At this point there is a risk an LA could try to use its GPOC to lever 
information held in a statutory function. Please consider mentioning powers like Crime and Disorder Act 1998 s17A and s115. Page 
61 Line return missing between para 1 and 2. Expand on duty of confidence. Page 62 In para 1 “There are often...” you correctly 
mention organisations are hesitant at sharing data. Please expand on how it would be lawful to “protect the public, etc”. There is a 
confusion as to what the exemptions, like crime and taxation (sch 2) actually do. Are they exemptions to GDPR? Are they exemptions 
to the need to find a lawful basis? Are they specific sub lawful basis (so what is the true lawful basis)? Are they exemptions to rights 
and duties? Page 63 In the example please illustrate the lawful basis, especially considering my above point. Page 64 On the section 
“How do we”. Specify the lawful basis under A6, unless crime and taxation is also a lawful basis (see above). Mention Schi is for 
SCD, not all the data. Page 65 Para 2 “Where necessary” please explain in crime and taxation is a lawful basis itself. Page 66 In the 
Example, please explain the lawful basis the shopkeeper is using to share the CCTV footage and why it is necessary to have a A9 
basis in Sch 1 - is the CCTV footage SCD? Page 67 In the Example, missing line break between para 3 and para 4. Page 70 Consider 
adding reference to organisations separating not just coming together. Page 80 On the section “What should we do in an 
emergency?” you say “in an emergency you should go ahead and share data as is necessary and proportionate” - please illustrate 
how this would be lawful. Page 81 In the Example, please illustrate the lawful basis. Page 99 Top case study. I appreciate this is 
concentrating on fairness and transparency but please illustrate the LB relevant to “police investigation” and separately “court order” 
(i'm guessing the latter is legal obligation). Page 100 Top case study. Please illustrate the lawful basis. Page 100. Bottom case 
study. You mention “obtain parents’ consent”...”but other lawful bases would be available to it”. Please expand on which, or possibly 
change “would” to “might”. Page 101. Case study. Please illustrate lawful basis. Page 103. Top case study. Please expand on why 
the LA should inform employees rather than relying on an exemption. Page 104. Bottom case study (HMRC). Please illustrate lawful 
basis. General comments This biggest issues I encounter with data sharing are the following: People not understanding what the 
“exemptions” do. People thinking a DSA creates lawful sharing People not understanding sharing may be necessary processing as 
part of the original purpose (eg, customer buys a produce (lawful basis contract), the seller has to share personal data with the 
payment industry provider to have the funds move around) Also Advice about using information for other purposes within an 
organisation appears to be missing. This was in the old guidance for LAs. I think in earlier consultations I commented that I didn’t 
feel it was appropriately explained, however i think absence is also wrong. My view is data sharing only truly occurs between data 
controllers who will process the data for their own purposes. This therefore excludes data controller to data processor disclosure 
(data processor processing for controller within their purposes) and joint data controller processing (these are already named as 
recipients of data, so no act of disclosure as already received, and both are processing to original purpose. I think a data controller 
cannot disclose data to itself as the same data controller. So a local authority cannot disclose data from one department to another. 
This is true unless one of the departments is a separate data controller (eg Electoral Roll Officer). But a data controller cannot use 
the lack of the concept of sharing (due to the sharing being within the same and whole data controller) to permit data processed for 
one purpose to be processed for another, unless lawful under the principles of GDPR. 


Q15 


Q16 


Q17 


Q18 


Q19 


To what extent do you agree that the draft code is clear and easy to understand? 
Strongly agree 
© Agree 
Neither agree nor disagree 
Disagree 
Strongly disagree 


Are you answering as: 


An individual acting in a private capacity (e.g. someone providing their views as a member of the public of the 
public) 
An individual acting in a professional capacity 
© On behalf of an organisation 
Other 


Please specify 


Please specify 
Local Authority Data Protection Team 


Please specify 


Thank you for taking the time to share your views and experience. 


